diff --git a/ansible/roles/kolla-ansible/library/kolla_passwords.py b/ansible/roles/kolla-ansible/library/kolla_passwords.py
index 4b3c0491d..733f5e038 100644
--- a/ansible/roles/kolla-ansible/library/kolla_passwords.py
+++ b/ansible/roles/kolla-ansible/library/kolla_passwords.py
@@ -76,6 +76,12 @@ def vault_encrypt(module, file_path):
 
 def vault_decrypt(module, file_path):
     """Decrypt a file using Ansible vault"""
+
+    # Return immediately if file not encrypted
+    with open(file_path, 'r') as f:
+        if not f.readline()[:15] == "$ANSIBLE_VAULT;":
+            return
+
     password_path = create_vault_password_file(module)
     try:
         cmd = ["ansible-vault", "decrypt",
diff --git a/releasenotes/notes/fix-unnecessary-decryption-bug-adaf2f6385a77f48.yaml b/releasenotes/notes/fix-unnecessary-decryption-bug-adaf2f6385a77f48.yaml
new file mode 100644
index 000000000..70fc5804f
--- /dev/null
+++ b/releasenotes/notes/fix-unnecessary-decryption-bug-adaf2f6385a77f48.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixes an error when generating passwords.yml if an unencrypted file exists
+    but a password has been supplied.